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1.Which setting in indexes. conf allows data retention to be controlled by time? 

A. maxDays ToKeep 

B. moveToFrozenAfter 

C. maxDataRetentionTime 

D. frozenTimePeriodInSecs 

Answer: D 

Explanation: 
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy 


2.The universal forwarder has which capabilities when sending data? (select all that apply) 

A. Sending alerts 

B. Compressing data 

C. Obfuscating/hiding data 

D. Indexer acknowledgement 

Answer: BD 

Explanation: 

https://docs.splunk.com/Documentation/Splunk/8.0. 1/Forwarding/Aboutforwardingandreceivingdata 
https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf 
#:~:text=compressed%3Dtrue%20This%20tells%20the the %20forwarder%20sends%20raw%20data. 


3.In case of a conflict between a whitelist and a blacklist input setting, which one is used? 

A. Blacklist 

B. Whitelist 

C. They cancel each other out. 

D. Whichever is entered into the configuration first. 

Answer: A 

Explanation: 
https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdat a 

"It is not necessary to define both an allow list and a deny list in a configuration stanza. The settings are 
independent. If you do define both filters and a file matches them both, Splunk Enterprise does not index 
that file, as the blacklist filter overrides the whitelist filter." Source: 
https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdat a 


4.In which Splunk configuration is the SEDCMD used? 

A. props, conf 

B. inputs.conf 

C. indexes.conf 

D. transforms.conf 

Answer: A 

Explanation: 

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/F orwarddatatothird-partysystemsd 

"You can specify a SEDCMD configuration in props.conf to address data that contains characters that the 
third-party server cannot process. " 


Download the latest Splunk SPLK-1003 exam dumps for best preparation 


5.Which of the following are supported configuration methods to add inputs on a forwarder? (select all 
that apply) 

A. CLI 

B. Edit inputs. conf 

C. Edit forwarder.conf 

D. Forwarder Management 

Answer: ABD 

Explanation: 
https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterpris 
e 

"You can collect data on the universal forwarder using several methods. Define inputs on the universal 
forwarder with the CLI. You can use the CLI to define inputs on the universal forwarder. After you define 
the inputs, the universal forwarder collects data based on those definitions as long as it has access to the 
data that you want to monitor. Define inputs on the universal forwarder with configuration files. If the input 
you want to configure does not have a CLI argument for it, you can configure inputs with configuration 
files. Create an inputs.conf file in the directory, $SPLUNK_HOME/etc/system/local 


6.Which parent directory contains the configuration files in Splunk? 

A. SSFLUNK_HOME/etc 

B. SSPLUNK_HOME/var 

C. SSPLUNK_HOME/conf 

D. SSPLUNK_HOME/default 

Answer: A 

Explanation: 

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories Section titled, 
Configuration file directories, states "A detailed list of settings for each configuration file is provided in 
the .spec file names for that configuration file. You can find the latest version of the .spec and .example 
files in the $SPLUNK_HOME/etc system/README folder of your Splunk Enterprise installation..." 


7.Which forwarder type can parse data prior to forwarding? 

A. Universal forwarder 

B. Heaviest forwarder 

C. Hyper forwarder 

D. Heavy forwarder 

Answer: D 

Explanation: 

https://docs.splunk.com/Documentation/Splunk/latest/F orwarding/Typesofforwarders 

"A heavy forwarder parses data before forwarding it and can route data based on criteria such as source 
or type of event." 


8.Which Splunk component consolidates the individual results and prepares reports in a distributed 
environment? 

A. Indexers 

B. Forwarder 
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C. Search head 

D. Search peers 

Answer: C 

Explanation: 
https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Howuserscancontroldistributedse 
arches 

"From the user standpoint, specifying and running a distributed search is essentially the same as running 
any other search. Behind the scenes, the search head distributes the query to its search peers, and 
consolidates the results when presenting them to the user." 


9.Which Splunk component distributes apps and certain other configuration updates to search head 
cluster members? 

A. Deployer 

B. Cluster master 

C. Deployment server 

D. Search head cluster master 

Answer: C 

Explanation: 

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 
"The deployment server distributes deployment apps to clients." 


10.Where should apps be located on the deployment server that the clients pull from? 

A. $SFLUNK_KOME/etc/apps 

B. $SPLUNK_HCME/etc/sear:ch 

C. $SPLUNK_HCME/etc/master-apps 

D. $SPLUNK HCME/etc/deployment-apps 

Answer: D 

Explanation: 

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. 

But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server. 

11.This file has been manually created on a universal forwarder 
p 


~ orni rnb farun raar mde a - 
opt/splunkiIorwardader/etc/a 


Anew Splunk admin comes in and connects the universal forwarders to a deployment server and deploys 
the same app with a new 
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-a 349 T = = = a 5 - e / > m2 Tanaga] - << = ~ 
opt/splunk/etc/deployment-apps/my TA/local/inputs.conf 
monitor var/log/maillog 

sourcetype=maillog 
index=syslog 


Which file is now monitored? 

A. /var/log/messages 

B. /var/log/maillog 

C. /var/log/maillog and /var/log/messages 
D. none of the above 

Answer: B 


12.In which phase of the index time process does the license metering occur? 

A. input phase 

B. Parsing phase 

C. Indexing phase 

D. Licensing phase 

Answer: C 

Explanation: 

"When ingesting event data, the measured data volume is based on the new raw data that is placed into 
the indexing pipeline. Because the data is measured at the indexing pipeline, data that is filetered and 
dropped prior to indexing does not count against the license volume qota." 
https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks 


13.You update a props. conf file while Splunk is running. You do not restart Splunk and you run this 
command: splunk btoo1 props list —debug. 

What will the output be? 

A. list of all the configurations on-disk that Splunk contains. 

B. A verbose list of all configurations as they were when splunkd started. 

C. A list of props. conf configurations as they are on-disk along with a file path from which the 
configuration is located 

D. A list of the current running props, conf configurations along with a file path from which the 
configuration was made 

Answer: C 

Explanation: 

https://docs.splunk.com/Documentation/Splunk/8.0. 1/Troubleshooting/Usebtooltotroubleshootcon 
figurations 

"The btool command simulates the merging process using the on-disk conf files and creates a report 
showing the merged settings." 

"The report does not necessarily represent what's loaded in memory. If a conf file change is made that 
requires a service restart, the btool report shows the change even though that change isn't active." 
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14.When running the command shown below, what is the default path in which deployment server. conf is 
created? 

splunk set deploy-poll deployServer:port 

A. SFLUNK_HOME/etc/deployment 

B. SPLUNK_HOME/etc/system/local 

C. SPLUNK_HOME/etc/system/default 

D. SPLUNK_KOME/etc/apps/deployment 

Answer: C 

Explanation: 
https://docs.splunk.com/Documentation/Splunk/8.1.1/Updating/Definedeploymentclasses#Ways_to_defin 
e_server_classes "When you use forwarder management to create a new server class, it saves the server 
class definition in a copy of serverclass.conf under 

$SPLUNK_HOME/etc/system/local. If, instead of using forwarder management, you decide to directly edit 
serverclass.conf, it is recommended that you create the serverclass.conf file in that same directory, 
$SPLUNK_HOME/etc/system/local." 


15.The priority of layered Splunk configuration files depends on the file's: 

A. Owner 

B. Weight 

C. Context 

D. Creation time 

Answer: C 

Explanation: 
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles 

"To determine the order of directories for evaluating configuration file precendence, Splunk software 
considers each file's context. Configuration files operate in either a global context or in the context of the 
current app and user" 


16.When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering 
the lists? 

A. Slash notation 

B. Regular expression 

C. Irregular expression 

D. Wildcard-only expression 

Answer: B 

Explanation: 
https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Inclu 
de_or_exclude_specific_incoming_data 


17.What is required when adding a native user to Splunk? (select all that apply) 
A. Password 

B. Username 

C. Full Name 

D. Default app 
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Answer: AB 

Explanation: 

According to the Splunk system admin course PDF, When adding native users, Username and Password 
ARE REQUIRED 


18.What are the minimum required settings when creating a network input in Splunk? 

A. Protocol, port number 

B. Protocol, port, location 

C. Protocol, username, port 

D. Protocol, IP. port number 

Answer: A 

Explanation: 

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf 

[tcp://<remote server>:<port>] 

*Configures the input to listen on a specific TCP network port. 

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself. 
*If you do not specify <remote server>, this stanza matches all connections on the specified port. 
*Generates events with source set to "tcp:<port>", for example: tcp:514 

*If you do not specify a sourcetype, generates events with sourcetype set to "tcp-raw" 


19.Which Splunk component requires a Forwarder license? 
A. Search head 

B. Heavy forwarder 

C. Heaviest forwarder 

D. Universal forwarder 

Answer: B 


20.Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific 
indexer(s)? 

A. _TCP_ROUTING 

B. INDEXER_LIST 

C. __INDEXER_GROUP 

D. INDEXER ROUTING 

Answer: A 

Explanation: 
https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_se 
lective_indexing_and_forwarding 

Specifies a comma-separated list of tcpout group names. Use this setting to selectively forward your data 
to specific indexers by specifying the tcpout groups that the forwarder should use when forwarding the 
data. Define the tcpout group names in the outputs.conf file in [tcpout:<tcpout_group_name>] stanzas. 
The groups present in defaultGroup in [tcpout] stanza in the outputs.conf file. 


